Post on 25-Feb-2021
Outline Review Decidability of security Take-Grant Protection Model
Lecture 3: Decidability
January 11, 2011
Lecture 3, Slide 1 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
1 Review
2 Decidability of securityMono-operational command caseGeneral case
3 Take-Grant Protection ModelSharing rightsTake-Grant SystemsStealing rightsConspiracy
Lecture 3, Slide 2 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Why no “or”?
Unnecessary!
Break conditional expression into sequence of disjuncts
Write command with same body for each disjunct
Call them sequentially!
Lecture 3, Slide 3 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
r , c Commands
command g ran t · r ead · f i l e · i f r (p , f )i f r i n A[ p , f ]then
enter r into A[ q , f ] ;enter w into A[ q , f ] ;
end
command g ran t · r ead · f i l e · i f c (p , f )i f c i n A[ p , f ]then
enter r into A[ q , f ] ;enter w into A[ q , f ] ;
end
Lecture 3, Slide 4 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
r or c Command
command g ran t · r ead · f i l e · i f r o r c (p , f )g ran t · r ead · f i l e · i f r (p , f )g ran t · r ead · f i l e · i f c (p , f )
end
Lecture 3, Slide 5 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
What is “Secure”?
Leaking
Adding a generic right r where there was not one is leaking
Safe
If a system S , beginning in initial state s0, cannot leak right r , it issafe with respect to the right r .
Here, “safe” = “secure” for an abstract model
Lecture 3, Slide 6 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
What is Does “Decidable” Mean?
Safety Question
Does there exist an algorithm for determining whether a protectionsystem S with initial state s0 is safe with respect to a generic rightr?
Lecture 3, Slide 7 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Mono-operational command case
Mono-Operational Commands
Answer:
Yes!
Proof sketch:Consider minimal sequence of commands c1, . . . , ck to leak theright
Can omit delete, destroy
Can merge all creates into one
Worst case: insert every right into every entry; with s subjects, o
objects, and n rights initially, upper bound is k ≤ n(s + 1)(o + 1)
Lecture 3, Slide 8 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Mono-operational command case
Proof (1)
Consider minimal sequences of commands (of length m)needed to leak r from system with initial state s0
Identify each command by the type of primitive operation itinvokes
Cannot test for absence of rights, so delete, destroy notrelevant
Ignore them
Reorder sequences of commands so all creates come first
Can be done because enters require subject, object to exist
Commands after these creates check only for existence ofright
Lecture 3, Slide 9 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Mono-operational command case
Proof (2)
It can be shown (see homework):
Suppose s1, s2 are created, and commands test rights inA[s1, o1], A[s2, o2]Doing the same tests on A[s1, o1] andA[s1, o2] = A[s1, o2] ∪ A[s2, o2] gives same resultThus all creates unnecessary
Unless s0 is empty; then you need to create it (1 create)
In s0:
|S0| number of subjects, |O0| number of objects,n number of(generic) rights
In worst case, 1 create
So a total of at most (|S0|+ 1)(|O0|+ 1) elements
So m ≤ n(|S0|+ 1)(|O0|+ 1)
Lecture 3, Slide 10 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
General Case
Answer:
No
Proof sketch:
1 Show arbitrary Turing machine can be reduced to safetyproblem
2 Then deciding safety problem means deciding the haltingproblem
Lecture 3, Slide 11 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Turing Machine Review
Infinite tape in one direction
States K , symbols M, distinguished blank b/
State transition function δ(k,m) = (k ′,m′, L)in state k with symbol m under the TM headreplace m with m′, move head left one square, enter state k ′
Halting state is qf
Lecture 3, Slide 12 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Mapping
Turing machine access control matrix representation
1 2 3 4 · · ·
A B C D · · ·
↑k
⇒
s1 s2 s3 s4 · · ·s1 A o · · ·s2 B o · · ·s3 C k o · · ·s4 D e · · ·...
......
......
. . .
Turing machine with head over square 3 on tape, in state k
and its representation as an access control matrixo is own righte is end right
Lecture 3, Slide 13 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Mapping
Turing machine access control matrix representation
1 2 3 4 · · ·
A B X D · · ·
↑k1
⇒
s1 s2 s3 s4 · · ·s1 A o · · ·s2 B o · · ·s3 X o · · ·s4 D k1 e · · ·...
......
......
. . .
After δ(k, C) = (k1, X, R), where k is the previous state and k1
the current state
Lecture 3, Slide 14 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Command Mapping
δ(k, C) = (k1, X, R) at intermediate becomes:
command ck,C (si ,si+1 )i f o i n A[ si ,si+1 ] and k i n A[ si ,si ] and C i n A[ si ,si ]then
delete k from A[ si ,si ] ;delete C from A[ si ,si ] ;enter X into A[ si ,si ] ;enter k1 into A[ si+1 ,si+1 ] ;
end
Lecture 3, Slide 15 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Mapping
Turing machine access control matrix representation
1 2 3 4 5
A B X Y b/
↑k2
⇒
s1 s2 s3 s4 s5s1 A o
s2 B o
s3 X o
s4 Y o
s5 k2 e
After δ(k1, D) = (k2, Y, R), where k1 is the previous state and k2
the current state
Lecture 3, Slide 16 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Command Mapping
δ(k1, D) = (k2, Y, R) at intermediate becomes:
command c r i gh tmos t k,D (si ,si+1 )i f e i n A[ si ,si ] and k1 i n A[ si ,si ] and D i n A[ si , si ]then
delete e from A[ si ,si ] ;create subject y ;enter o into A[ si ,si+1 ] ;enter e into A[ si+1 ,si+1 ] ;delete k1 from A[ si ,si ] ;delete D from A[ si ,si ] ;enter Y into A[ si ,si ] ;enter k2 into A[ si+1 ,si+1 ] ;
end
Lecture 3, Slide 17 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Rest of Proof
Protection system exactly simulates a Turing machine
Exactly 1 end (e) right in access control matrix1 right in entries corresponds to stateThus, at most 1 applicable command
If Turing machine enters state qf , then right has leaked
If safety question decidable, then represent TM as protectionsystem and determine if qf leaks
This implies halting problem is decidable
Conclusion: safety question undecidable
Lecture 3, Slide 18 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
General case
Other Results
Set of unsafe symbols is recursively enumerable
Delete create primitive; then safety question is complete inP-SPACE
Delete destroy, delete primitives; then safety question isundecidable
Such systems are called monotonic
Safety question for monoconditional, monotonic protectionsystems is decidable
Safety question for monoconditional protection systems withcreate, enter, delete (and no destroy) is decidable
Lecture 3, Slide 19 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Protection Model
A specific (not generic) system
Set of rules for state transitions
Safety decidable, and in time linear with the size of the system
Goal: find conditions under which rights can be transferredfrom one entity to another in the system
Lecture 3, Slide 20 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
System
◦ objects (passive entities like files, . . . )
• subjects (active entities like users, processes . . . )⊗ don’t care (either a subject or an object)G ⊢x G ′ apply rewriting rule x (witness) to G to get G ′
G ⊢∗ G ′ apply a sequence of rewriting rules (witness) toG to get G ′
R = {t, g , . . .} set of rights
Lecture 3, Slide 21 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take, Grant Rules
In these rules, β ⊆ α ⊆ R
take rulex•
y⊗
z⊗
t α⊢
x•
y⊗
z⊗
t α
β
grant rulex⊗
y•
z⊗
g α⊢
x⊗
y•
z⊗
g α
β
Lecture 3, Slide 22 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Create, Remove Rules
create rulex• ⊢
x•
y⊗
t
remove rulex•
y⊗
α⊢
x•
y⊗
α− β
These four rules are the de jure rules
Lecture 3, Slide 23 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Symmetry of Take and Grant
x•
y•
z⊗
g α⊢
x•
y•
z⊗
g α
β
x•
y•
z⊗
g α⊢
x•
y•
z⊗
g α
β
Lecture 3, Slide 24 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Symmetry of Take and Grant
x•y•
z⊗
v
g α
tg
1 x creates (tg to new) v
Lecture 3, Slide 25 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Symmetry of Take and Grant
x•y
•z⊗
v
g α
tg g
1 x creates (tg to new) v
2 x grants (g to v) to y
Lecture 3, Slide 26 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Symmetry of Take and Grant
x•y
•z⊗
v
g α
tg g β
1 x creates (tg to new) v
2 x grants (g to v) to y
3 y grants (β to z) to v
Lecture 3, Slide 27 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Symmetry of Take and Grant
x•y
•z⊗
v
g α
tg g β
β
1 x creates (tg to new) v
2 x takes (g to v) from x
3 y grants (β to z) to v
4 x takes (β to z) from v
Lecture 3, Slide 28 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Islands
tg-path: path of distinct vertices connected by edges labeled tor g
Call them tg-connected
island : maximal tg -connected subject-only subgraph
Any right that a vertex in the island has, can be shared withany other vertex in the island
Lecture 3, Slide 29 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Initial, Terminal Spans
initial span from x to y: x can give rights it has to y
xsubject
tg -path between x, y with word in {−→t∗−→g } ∪ {ν}
terminal span from x to y: x can get rights y has
xsubject
tg -path between x, y with word in {−→t∗} ∪ {ν}
Lecture 3, Slide 30 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Bridges
bridge tg -path between subjects x, y, with associated word in
{−→t∗ ,←−t∗ ,−→t∗−→g←−t∗ ,−→t∗←−g←−t∗}
rights can be transferred between the two endpointsnot an island as intermediate vertices are objects
Lecture 3, Slide 31 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Example
p•
u•
v w•
x y•
s′
•s
q
t
t g g t
g
t r
islands: {p,u}, {w}, {y, s′}
bridges: u, v, w; w, x, y
initial span: p (associated word ν)
terminal span: s′s (associated word−→t )
Lecture 3, Slide 32 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Sharing rights
can·share Predicate
can·share(r, x, y, G0) holds if, and only if, there is a sequence ofprotection graphs G0, . . . ,Gn such that G0 ⊢
∗ Gn using only de jure
rules and in Gn there is an edge from x to y labeled r
Lecture 3, Slide 33 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Sharing rights
can·share Theorem
can·share(r, x, y, G0) holds if, and only if, there is an edge from x
to y labeled r in G0, or the following hold simultaneously:
there is an s in G0 with an s-to-y edge labeled r ;
there is a subject x′ = x or x′ initially spans to x;
there is a subject s′ = s or s′ terminally spans to s; and
there are islands I1, . . . , Ik connected by bridges, x′ is in I1,and s′ is in Ik
Lecture 3, Slide 34 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Sharing rights
Outline of Proof
1 s has r rights over y
2 s′ acquires r rights over y from s
Definition of terminal span
3 x′ acquires r rights over y from s′
Repeated application of sharing among vertices in islands,passing rights along bridges
4 x′ gives r rights over y to x
Definition of initial span
Lecture 3, Slide 35 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Sharing rights
Interpretation
Access control matrix is generic
Can be applied in any situation
Take-Grant has specific rules, rights
Can be applied in situations matching rules, rights
What states can evolve from a system that is modeled usingthe Take-Grant Protection Model?
Lecture 3, Slide 36 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Take-Grant Generated Systems
Theorem: Let G0 be a protection graph with 1 subject and noedges. Let R be a set of rights. Then G0 ⊢
∗ G if, and only if,
G is a finite, directed graph consisting of subjects, objects,and edges;
the edges are labeled from a non-empty subset of R ; and
at least 1 vertex in G has no incoming edges
Lecture 3, Slide 37 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Proof (1)
⇒: By construction; let G be the final graph in the theorem
Let x1, . . . , xn be subjects in G
Let x1 have no incoming edges
Let α = R
Construct G ′ as follows:
1 Do “x1 creates (α ∪ {g} to) new subject xi”
2 For all (xi , xj ) where xi has a right over xj , do“x1 grants (α to xj) to xi”
3 Let β be the rights xi has over xj in G ; then do“x1 removes ((α ∪ {g})− β) to xj)”
Now G ′ is the desired G
Lecture 3, Slide 38 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Proof (2)
⇐: Let v be the initial subject, and G0 ⊢∗ G
Inspection of rules gives:
G is finite;G is a directed graph;Subjects and objects only; andAll edges are labeled with nonempty subsets of R
Limits of rules:
None allows vertices to be deleted, so v is in G
None adds incoming edges to vertices without any incomingedges, so v has no incoming edges.
Lecture 3, Slide 39 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Example: Shared Buffer
p
•u
s•
q•
v
g
g
r,w
r,w
Goal: p, q to communicate throughshared buffer b controlled by trustedentity s
Lecture 3, Slide 40 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Example: Shared Buffer
p
•u
s•
q•
v
b
g
g
r,w
r,w
r,w
Goal: p, q to communicate throughshared buffer b controlled by trustedentity s
1 s creates ({r ,w} to) new object b
Lecture 3, Slide 41 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Example: Shared Buffer
p
•u
s•
q•
v
b
g
g
r,w
r,w
r,w
r,w
Goal: p, q to communicate throughshared buffer b controlled by trustedentity s
1 s creates ({r ,w} to) new object b
2 s grants ({r ,w} to b) to p
Lecture 3, Slide 42 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Take-Grant Systems
Example: Shared Buffer
p
•u
s•
q•
v
b
g
g
r,w
r,w
r,w
r,w
r,w
Goal: p, q to communicate throughshared buffer b controlled by trustedentity s
1 s creates ({r ,w} to) new object b
2 s grants ({r ,w} to b) to p
3 sgrants ({r ,w} to b) to q
Lecture 3, Slide 43 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
can·steal Predicate
can·steal(r, x, y, G0) holds if, and only if, there is no edge from x
to y labeled r in G0, and the following hold simultaneously:
there is an edge from x to y labeled r in G ;
there is a sequence of rule applications ρ1, . . . , ρn such thatGi−1 ⊢ρi
Gi ; and
for all vertices v, w in Gi−1, if there is an edge from v to y inG0 labeled r, then ρi is not of the form“v grants (r to y) to w”
Lecture 3, Slide 44 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Example of Stealing
v•
x•
s•u•
w
g α
t
t
t
can·steal(α, s, w, G0)
Lecture 3, Slide 45 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Example of Stealing
v•
x•
s•u•
w
g α
t
t
tt
can·steal(α, s, w, G0):
1 u grants (t to v) to s
Lecture 3, Slide 46 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Example of Stealing
v•
x•
s•u•
w
g α
t
t
tt
t
can·steal(α, s, w, G0):
1 u grants (t to v) to s
2 s takes (t to x) from v
Lecture 3, Slide 47 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Example of Stealing
v•
x•
s•u
•w
g α
t
t
tt
t
t
can·steal(α, s, w, G0):
1 u grants (t to v) to s
2 s takes (t to x) from v
3 s takes (t to u) from x
Lecture 3, Slide 48 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Example of Stealing
v•
x•
s•u
•w
g α
t
t
tt
t
t
α
can·steal(α, s, w, G0):
1 u grants (t to v) to s
2 s takes (t to x) from v
3 s takes (t to u) from x
4 s takes (α to w) from u
Lecture 3, Slide 49 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
can·steal Theorem
can·steal(α, x, y, G0) holds if, and only if, the following holdsimultaneously:
there is no edge from x-to-y labeled α in G0;
there is a subject x′ = x or x′ initially spans to x;
there is a vertex s with an edge to y labeled α in G0; and
can·share(t, x′, s, G0) holds
Lecture 3, Slide 50 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Proof (1)
⇒: Assume all four conditions hold
If x a subject:
x gets t rights to s (last condition); then takes α to y from s
(third condition)
If x an object:
can·share(t, x′, s, G0) holdsIf x′ has no α edge to y in G0, x′ takes (α to y) from s andgrants it to x
If x′ has an edge to y in G0, x′ creates surrogate x′′, gives it (tto s) and (g to x′′); then x′′ takes (α to y) and grants it to x
Lecture 3, Slide 51 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Proof (2)
⇐: Assume can·steal(α, x, y, G0) holds
First two conditions are immediate from definition ofcan·share, can·steal
Third condition is immediate from theorem of conditions forcan·share
Fourth condition: let ρ be a minimal length sequence of ruleapplications deriving Gn from G0
Let i be the smallest index such that Gi−1 ⊢ρiGi that adds α
from some p to y in Gi
What rule is ρi?
Lecture 3, Slide 52 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Proof (3)
Not remove or create rule
y exists already
Not grant rule
Gi is the first graph in which an edge labeled α to y is added,so by definition of can·share, it cannot be a grant
Therefore ρi must be a take rule, so can·share(t, p, s, G0)holds
By earlier theorem, there is a subject s′ such that s′ = s or s′
terminally spans to s
Also, sequence of islands I1, . . . , In with x′ ∈ I1, s′ ∈ In
Now consider what s is
Lecture 3, Slide 53 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Proof (4)
If s object, s′ 6= s
If s′, p in same island, take p = s′; the can·share(t, x, s, G0)holdsIf they are not, the sequence is minimal, contradictingassumptionSo choose s′ in same island as p
Lecture 3, Slide 54 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Stealing rights
Proof (5)
If s subject, p ∈ In
If p /∈ G0, there is a subject q such that can·share(t, q, s, G0)holds
s ∈ G0 and none of the rules add new lables to incoming edgeson existing vertices
As s owns α rights to y in G0, two cases arise:
If s = q, replace “s grants (α to y) to q” with the sequence:p takes (α to y) from s
p takes (g to q) from s
p grants (α to y) to q
If s = q, you only need the first
Lecture 3, Slide 55 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Conspiracy
Conspiracy
Minimize number of actors to generate a witness forcan·share(α, x, y, G0)
Actor is defined as x such that x initiates ρi
Access set describes the “reach” of a subject
Deletion set is set of verticies that cannot be involved in atransfer of rights
Build conspiracy graph to capture how rights flow, and deriveactors from it
Lecture 3, Slide 56 ECS 235B, Foundations of Information and Computer Security January 11, 2011
Outline Review Decidability of security Take-Grant Protection Model
Conspiracy
Access Set
Access set A(x) with focus x: set of vertices
{x}{y | x initially spans to y}{y | x terminally spans to y}
Idea is that vertex at focus can give rights to, or acquirerights from, a vertex in access set
Lecture 3, Slide 57 ECS 235B, Foundations of Information and Computer Security January 11, 2011